| title | Remote Device Action: Quick Scan |
|---|---|
| description | Learn how to initiate on demand Microsoft Defender quick scan with Microsoft Intune. |
| ms.date | 10/27/2025 |
| ms.topic | how-to |
The quick scan remote action in Microsoft Intune enables IT administrators to start a targeted malware scan on managed Windows devices by using Microsoft Defender Antivirus. This action scans key system areas where threats commonly appear—such as memory, startup folders, and running processes—without performing a full system sweep.
Quick scans are especially useful for routine health checks, validating recent policy deployments, or responding to low-risk alerts. By triggering a scan remotely from the Intune admin center, IT teams can quickly assess device health and ensure protection is up to date—without waiting for the next scheduled scan or relying on user intervention.
:::row::: :::column span="1"::: [!INCLUDE platform]
:::column-end::: :::column span="3":::
This remote action supports the following platform:
- Windows
:::column-end::: :::row-end:::
:::row::: :::column span="1":::
[!INCLUDE rbac] :::column-end::: :::column span="3":::
To run this remote action, use an account with at least one of the following roles:
- Help Desk Operator
- Endpoint Security Manager
- Custom role that includes:
- The permission Remote tasks/Windows defender
- Permissions that provide visibility into and access to managed devices in Intune (for example, Organization/Read, Managed devices/Read) :::column-end::: :::row-end:::
- In the Microsoft Intune admin center, select Devices > All devices.
- From the devices list, select a device.
- At the top of the device overview pane, find the row of remote action icons. Select Quick scan.
- Microsoft Graph API: windowsDefenderScan action
- Configuration service provider (CSP) used to initiate the remote action: Defender CSP